Having read the Sucuri’s article about the kirm-sky .ru attack, I decided to complement it with my own information.

I started to track this website infection back in April. It has been active all these months.
Compromised sites redirect search engine traffic to malicious sites. The rest traffic is not affected, which helps hide the problem from webmasters who rarely click on search results to open their own sites. However, this problem is easily detected by Google’s malware scanners, and many webmasters learn about the problem when web browsers start blocking their sites.

Unmask Parasites can also detect the problem and report the malicious 301 redirect.

The redirect rules are quite straight forward. All those RewriteCond line check if a vistor came from one of those sites (e.g. Google, Yahoo, Wikipedia, YouTube, Twitter, Flickr, etc) and redirect them (the last RewriteRule line) to a malicious site.

.htaccess tricks

To hide these rules, hackers inject several screens of blank lines before the malicious code and unless you scroll all the way down, you may think that your .htaccess file doesn’t contain anything suspicious.

Another trick is to place this file above the site root. Many web servers are configured to take this upper level directory into account. (You can read here how one webmaster learnt these tricks searching for the malicious code)

URL pattern

URLs of the malicious sites change quite often, but they all follow this pattern: example.ru/dir/index.php, where example.ru is some malicious domain with the .ru TLD, and dir is some some random directory. Here are examples of such URLs

two-part .ru/my/index.php

etc-network .ru/may/index.php

thermalvisit .ru/spa/index.php

awm-magazine .ru/ofmy/index.php

strikeallow .ru/hel/index.php

sensationworld .ru/pub/index.php

sensation-world .ru/website/index.php

ros-tec .ru/onlinestore/index.php

julyrelax .ru/catalog/index.php

nanovoice .ru/webalizer/index.php

woods-every .ru/thumbs/index.php

class-woods .ru/contactus/index.php

tuta-anti .ru/engine/index.php

ar-kirm .ru/modules/index.php

kirmar .ru/rawimages/index.php

sky-ar .ru/idial/index.php

kirm-sky .ru/promocash/index.php

skykirm .ru/zeleboba/index.php

devisionnetwork .ru/suomi/index.php

networkdevision .ru/targetfile/index.php

In April, hackers hackers didn’t use directories in such URLs, though (e.g. cut-etc .ru/index.php).

Domains and servers

All these domains are registered by someone with email address ivan-sushkin@yandex.ru and phone number +7 926 3411572 (this personal info can be forged). Domains are registered in small batches — you can identify them by similar names. E.g ar-kirm .ru, kirmar .ru, sky-ar .ru and skykirm .ru were registered on September 22nd and the most recent batch that includes devisionnetwork .ru and networkdevision .ru, had been registered just a few days ago on October 10th.

Not only does this attack changes domains names of the malicious sites, it also changes IP addresses of servers with the malicious content (most likely they have to move when network administrators disconnect their servers after numerous abuse reports).

During the last six months they used servers with the following IP addresses

Malicious redirects on disables sites

I noticed interesting thing. Sometimes hosting providers temporarily shut down websites (either because of security problems or simply because they owner delay payment) and redirect visitors to a page that usually reads like “The website you were trying to reach is temporarily unavailable. ” The thing is, this hoster’s redirect has lower priority than the malicious redirect in .htaccess files. As a result, despite of all hosters efforts, such disabled sites are still dangerous if people click on their links in search engine results.

Infection vector

Although David thinks it’s an osCommerce-specific attack, I’ve seen it on many sites that don’t use osCommerse. To my mind, the FTP vector is more probable. Moreover, many infected sites contain other types of malicious code at the same time, so it could be just a coincidence that David found this .htaccess exploit on hacked osCommerce sites. Or maybe hackers started to diversify their infection methods — who knows. Please leave a comment below if you have any information that can prove either hypothesis.

To webmasters

In any case, it’s always a good idea to start with checking your own computer for malware. Than change all site passwords and keep them secure (don’t save them in your FTP clients, instead, you might want to try this KeePass trick). Finally, remove the malicious redirect rules from .htaccess files. Additionally, you can check for backdoor scripts, mentioned by David and make sure all third-party scripts are fully patched and properly hardened.

Okay folks, well I too have just experienced this htaccess redirect problem.

I am running two types of self-hosted web servers for my wordpress sites, a mac-mini and a windows mini with wamp developer-pro.

This has only happened on my windows server, which runs about 50 websites.

All my traffic was being directed to a russian site on each and every one of my websites on the windows server, and I found that this occurred due to a second htaccess file that was being cretaed in the webroot folder of every site, even non-functioning sites.

By deleting this file (which has no file name btw), my site became clean, as tested with sucuri.